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CLAIMS : 

1. A method for assessing risk within an organization, 
costprising: 

5 defining one or more zones, each of said one or 

more zones comprising an environment; 

identifying one or more assets of said 
orgsmization, each of said assets being located in a 
respective one of said zones; 
10 conducting a respective impact assessment for 

each of said assets, each assessment comprising assessing 
the impact of the loss of said respective asset; 

conducting for each of said zones a respective 
zone risk assessment, con^rising assessing the risk level 
15 associated with placing a respective asset within said 
respective corresponding zone; 

conducting for each asset a respective asset risk 
assessment, coinprising assessing the risk level associated 
with said respective asset independent of the respective 
20 zone of said respective asset; and 

assessing risk on the basis of at least said 
impact assessment, said zone risk assessments and said 
asset risk assessments. 

25 2 . A method as claimed in claim 1, including identifying 
one or more asset custodians, each comprising a custodian 
of a respective asset, and identifying one or more asset 
owners, each comprising an owner of a respective one or 
more of said assets. 

30 

3. A method as claimed in claim 2, wherein each of said 
custodisois is an employee with care- taking 
responsibilities • 

35 4. A method as claimed in claim 1, including maintaining 
a register of said assets. 
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5. A method as claimed in claim 4/ wherein said register 
includes a respective owner of each of said assets. 

6. A method as claimed in cladLm 1, including maintaining 
5 a register of said zones. 

7. A method as claimed in claim S, wherein said register 
includes a respective custodian of each of said zones. 

10 8. A method as claimed in claim 1, wherein each of said 
assets is information related. 

9. A method as claimed in claim 2, wherein each of said 
assets is information related, and each of said asset 

15 custodians is an information custodian, each comprising a 
custodian of a respective information storage device 
within said organization. 

10. A method as claimed in claim 9, including defining at 
20 least four types of custodians: 1) physical and 

environment custodians, 2) network custodians, 3) software 
engineering custodians, and 4) MIS support custodians. 

11. A method as claimed in claim 2, wherein each of said 
25 respective zone assessments is conducted by the respective 

custodian of said respective zone. 

12. A method as cladLmed in claim 2, wherein each of said 
respective asset assessments is conducted by the 

3 0 respective owner of said respective asset. 

13. A method as claimed in claim 1, including regarding 
the loss of sua asset as equivalent to the loss of a system 
of which said asset is a part. 

35 

14. A method as claimed in claim 1, including determining 
a measured risk for each asset, said measured risk for a 
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respectilve asset comprising the product o£ 1) an Impact 
level determined In said Impact assessment and 2) the 
maximum of an asset risk determined In said asset risk 
assessment and an asset risk determined In said zone risk 
5 assessment. 

15. A method as claimed In claim 2, wherein none of said 
custodians Is an owner. 

10 16. An apparatus for assessing risk within an 

organl z at Ion , compr 1 s Ing : 

data Input means for Inputting asset Information 

Into a register of assets, each of said assets being an 

asset of said organization, each of said assets being 
15 located In a respective zone; 

data storage for storing said register of assets. 

Including for each of said assets said respective zone; 

means for receiving or storing a respective zone 

risk assessment for each of said zones, said respective 
2 0 zone risk assessment comprising an assessment of the risk 

level associated with placing a respective asset within 

said respective corresponding zone; 

means for receiving or storing a respective asset 

risk assessment for each asset, said respective asset risk 
25 assessment coxnprislng an assessment of the risk level 

associated with said respective asset Independent of the 

respective zone of said respective asset; 

means for receiving or storing a respective 

Impact assessment for each of said assets, each assessment 
30 comprising assessing the Impact of the loss of said 

respective asset, and for assessing risk on the basis of 

at least said impact assessment, said zone risk 

assessments and said asset risk assessments to thereby 

form a risk assessment; and 
35 output means for outputtlng said risk assessment. 

17. An apparatus as claimed In claim 16, wherein said 
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apparatus is operable to associate with each o£ said 
assets an asset custodlsLa, each comprising a custodlaui of 
a respective asset, suid to associate with each of said 
assets at least one asset ovmer, each comprising an owner 
5 of a respective one or more of said assets. 

18. An apparatus as claimed In claim 16, wherein said 
register of assets Includes a respective owner of each of 
said assets. 

10 

19. An apparatus as claimed In claim 16, wherein said 
apparatus Includes data storage for storing a register of 
said zones. 

15 20. An apparatus as claimed in claim 19, wherein said 

zone register Includes data for associating a respective 
custodian with each of said zones. 

21. An apparatus as claimed in claim 16, wherein each of 
2 0 said assets is information related. 

22- An apparatus as claimed in claim 16, wherein said 
apparatus is operahle to treat the loss of an asset as 
equivalent to the loss of a system of which said asset is 
25 a part. 

23. An apparatus as claimed in claim 16, wherein said 
apparatus is operable to determine a measured risk, for 
each asset, said measured risk for a respective asset 
30 coxiqprising the product of 1) an Impact level determined in 
said inpact assessment and 2) the metximum of an asset risk 
determined in said asset risk assessment and an asset risk 
determined in said zone risk assessment. 

35 24. A risk management method, cozi^rislng: 

assessing risk according to the method of any one 
of claims 1 to 15; and 
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managing said risk. 

25. A method as claimed in cladLm 24, wherein said 
managing of said risk comprises: 

5 determining the distribution of the ntimber of 

assets as a function of associated measured risk; 

determining a msucimum acceptable risk level; and 
applying one or more controls if any of said 
assets exceeds said maximum acceptable risk level. 

0 

26. A method as claimed in claim 24, wherein said 
acceptable risk level comprises the lower of the highest 
available measured risk or 100%. 



